aliases
This commit is contained in:
parent
0a10b1fa12
commit
dc67f782e4
@ -6,10 +6,7 @@
|
||||
define(`consoletype_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 consoletype_exec_t:file { getattr read execute };
|
||||
allow $1 consoletype_t:process transition;
|
||||
type_transition $1 consoletype_exec_t:process consoletype_t;
|
||||
dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
|
||||
|
||||
allow $1 consoletype_t:fd use;
|
||||
allow consoletype_t $1:fd use;
|
||||
@ -20,7 +17,7 @@ define(`consoletype_transition',`
|
||||
define(`consoletype_transition_depend',`
|
||||
type consoletype_t, consoletype_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
@ -33,7 +30,8 @@ define(`consoletype_transition_depend',`
|
||||
define(`consoletype_execute',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
|
||||
can_exec($1,consoletype_exec_t)
|
||||
|
||||
')
|
||||
|
||||
define(`consoletype_execute_depend',`
|
||||
|
@ -21,14 +21,14 @@ allow consoletype_t self:capability sys_admin;
|
||||
|
||||
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow consoletype_t self:fd use;
|
||||
allow consoletype_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow consoletype_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow consoletype_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow consoletype_t self:fifo_file rw_file_perms;
|
||||
allow consoletype_t self:unix_dgram_socket create_socket_perms;
|
||||
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow consoletype_t self:unix_dgram_socket sendto;
|
||||
allow consoletype_t self:unix_stream_socket connectto;
|
||||
allow consoletype_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow consoletype_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow consoletype_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow consoletype_t self:shm rw_shm_perms;
|
||||
allow consoletype_t self:sem rw_sem_perms;
|
||||
allow consoletype_t self:msgq rw_msgq_perms;
|
||||
allow consoletype_t self:msg { send receive };
|
||||
|
||||
kernel_use_file_descriptors(consoletype_t)
|
||||
@ -70,7 +70,7 @@ allow consoletype_t sysadm_t:fifo_file rw_file_perms;
|
||||
|
||||
allow consoletype_t nfs_t:file write;
|
||||
|
||||
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
|
||||
allow consoletype_t crond_t:fifo_file r_file_perms;
|
||||
allow consoletype_t system_crond_t:fd use;
|
||||
|
||||
optional_policy(`ypbind.te', `
|
||||
@ -95,11 +95,11 @@ allow consoletype_t autofs_t:dir { search getattr };
|
||||
|
||||
optional_policy(`xdm.te', `
|
||||
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
|
||||
allow consoletype_t xdm_tmp_t:file { read write };
|
||||
allow consoletype_t xdm_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
allow consoletype_t printconf_t:file { getattr read };
|
||||
allow consoletype_t printconf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`firstboot.te', `
|
||||
|
@ -15,7 +15,7 @@
|
||||
define(`dmesg_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 dmesg_exec_t:file { getattr read execute };
|
||||
allow $1 dmesg_exec_t:file rx_file_perms;
|
||||
allow $1 dmesg_t:process transition;
|
||||
type_transition $1 dmesg_exec_t:process dmesg_t;
|
||||
dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
|
||||
@ -29,7 +29,7 @@ define(`dmesg_transition',`
|
||||
define(`dmesg_transition_depend',`
|
||||
type dmesg_t, dmesg_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
@ -49,7 +49,8 @@ define(`dmesg_transition_depend',`
|
||||
define(`dmesg_execute',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
|
||||
can_exec($1,dmesg_exec_t)
|
||||
|
||||
')
|
||||
|
||||
define(`dmesg_execute_depend',`
|
||||
|
@ -19,7 +19,7 @@ role system_r types dmesg_t;
|
||||
allow dmesg_t self:capability sys_admin;
|
||||
dontaudit dmesg_t self:capability sys_tty_config;
|
||||
|
||||
allow dmesg_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow dmesg_t self:process signal_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(dmesg_t)
|
||||
kernel_read_hardware_state(dmesg_t)
|
||||
@ -70,7 +70,7 @@ allow dmesg_t proc_t:lnk_file read;
|
||||
optional_policy(`rhgb.te', `
|
||||
allow dmesg_t rhgb_t:process sigchld;
|
||||
allow dmesg_t rhgb_t:fd use;
|
||||
allow dmesg_t rhgb_t:fifo_file { read write };
|
||||
allow dmesg_t rhgb_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow dmesg_t autofs_t:dir { search getattr };
|
||||
|
@ -6,7 +6,7 @@
|
||||
define(`netutils_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 netutils_exec_t:file { getattr read execute };
|
||||
allow $1 netutils_exec_t:file rx_file_perms;
|
||||
allow $1 netutils_t:process transition;
|
||||
type_transition $1 netutils_exec_t:process netutils_t;
|
||||
dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
|
||||
@ -20,7 +20,7 @@ define(`netutils_transition',`
|
||||
define(`netutils_transition_depend',`
|
||||
type netutils_t, netutils_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
@ -33,7 +33,8 @@ define(`netutils_transition_depend',`
|
||||
define(`netutils_execute',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
|
||||
can_exec($1,netutils_exec_t)
|
||||
|
||||
')
|
||||
|
||||
define(`netutils_execute_depend',`
|
||||
|
@ -38,12 +38,12 @@ bool user_ping false;
|
||||
allow netutils_t self:capability { net_admin net_raw setuid setgid };
|
||||
allow netutils_t self:process { sigkill sigstop signull signal };
|
||||
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
allow netutils_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow netutils_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow netutils_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow netutils_t self:packet_socket create_socket_perms;
|
||||
allow netutils_t self:udp_socket create_socket_perms;
|
||||
allow netutils_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow netutils_t netutils_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow netutils_t netutils_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow netutils_t netutils_tmp_t:dir create_dir_perms;
|
||||
allow netutils_t netutils_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(netutils_t)
|
||||
@ -100,8 +100,8 @@ allow netutils_t proc_t:dir search;
|
||||
allow ping_t self:capability setuid;
|
||||
dontaudit ping_t self:capability sys_tty_config;
|
||||
|
||||
allow ping_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||
allow ping_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||
allow ping_t self:tcp_socket create_socket_perms;
|
||||
allow ping_t self:udp_socket create_socket_perms;
|
||||
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(ping_t)
|
||||
@ -155,8 +155,8 @@ if (user_ping) {
|
||||
#
|
||||
|
||||
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
|
||||
allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow traceroute_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow traceroute_t self:rawip_socket create_socket_perms;
|
||||
allow traceroute_t self:packet_socket create_socket_perms;
|
||||
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
|
||||
kernel_read_system_state(traceroute_t)
|
||||
|
@ -15,7 +15,7 @@
|
||||
define(`rpm_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 rpm_exec_t:file { getattr read execute };
|
||||
allow $1 rpm_exec_t:file rx_file_perms;
|
||||
allow $1 rpm_t:process transition;
|
||||
type_transition $1 rpm_exec_t:process rpm_t;
|
||||
dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
|
||||
@ -29,7 +29,7 @@ define(`rpm_transition',`
|
||||
define(`rpm_transition_depend',`
|
||||
type rpm_t, rpm_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
@ -104,13 +104,13 @@ define(`rpm_use_file_descriptors_depend',`
|
||||
define(`rpm_read_pipe',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 rpm_t:fifo_file { getattr read };
|
||||
allow $1 rpm_t:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
define(`rpm_read_pipe_depend',`
|
||||
type rpm_t;
|
||||
|
||||
class fifo_file { getattr read };
|
||||
class fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -127,17 +127,17 @@ define(`rpm_read_pipe_depend',`
|
||||
define(`rpm_read_package_database',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 rpm_var_lib_t:dir { getattr read search };
|
||||
allow $1 rpm_var_lib_t:file { read getattr };
|
||||
allow $1 rpm_var_lib_t:lnk_file { getattr read };
|
||||
allow $1 rpm_var_lib_t:dir r_dir_perms;
|
||||
allow $1 rpm_var_lib_t:file r_file_perms;
|
||||
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
define(`rpm_read_package_database_depend',`
|
||||
type rpm_var_lib_t_t;
|
||||
|
||||
class dir { search getattr read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -147,7 +147,7 @@ define(`rpm_read_package_database_depend',`
|
||||
define(`rpm_manage_package_database',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 rpm_var_lib_t:dir rw_dir_perms;
|
||||
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
|
||||
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
||||
')
|
||||
@ -155,9 +155,9 @@ define(`rpm_manage_package_database',`
|
||||
define(`rpm_manage_package_database_depend',`
|
||||
type rpm_var_lib_t_t;
|
||||
|
||||
class dir { search getattr read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read };
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file { getattr read write unlink };
|
||||
class file { getattr create read write append unlink };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -59,38 +59,38 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net
|
||||
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
||||
allow rpm_t self:fd use;
|
||||
allow rpm_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow rpm_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow rpm_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow rpm_t self:fifo_file rw_file_perms;
|
||||
allow rpm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
|
||||
allow rpm_t self:unix_dgram_socket sendto;
|
||||
allow rpm_t self:unix_stream_socket connectto;
|
||||
allow rpm_t self:udp_socket { connect };
|
||||
allow rpm_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||
allow rpm_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||
allow rpm_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow rpm_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow rpm_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow rpm_t self:udp_socket create_socket_perms;
|
||||
allow rpm_t self:tcp_socket rw_stream_socket_perms;
|
||||
allow rpm_t self:shm create_shm_perms;
|
||||
allow rpm_t self:sem create_sem_perms;
|
||||
allow rpm_t self:msgq create_msgq_perms;
|
||||
allow rpm_t self:msg { send receive };
|
||||
allow rpm_t self:dir search;
|
||||
allow rpm_t self:file { getattr read write };
|
||||
allow rpm_t self:file rw_file_perms;;
|
||||
|
||||
allow rpm_t rpm_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_t rpm_log_t:file create_file_perms;
|
||||
logging_create_private_log(rpm_t,rpm_log_t)
|
||||
|
||||
allow rpm_t rpm_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow rpm_t rpm_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_t rpm_tmp_t:dir create_dir_perms;
|
||||
allow rpm_t rpm_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir })
|
||||
|
||||
allow rpm_t rpm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow rpm_t rpm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_t rpm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow rpm_t rpm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_t rpm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
|
||||
allow rpm_t rpm_tmpfs_t:file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Access /var/lib/rpm files
|
||||
allow rpm_t rpm_var_lib_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_t rpm_var_lib_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow rpm_t rpm_var_lib_t:file create_file_perms;
|
||||
allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir)
|
||||
|
||||
kernel_read_system_state(rpm_t)
|
||||
@ -166,8 +166,8 @@ dontaudit rpm_t domain:process ptrace;
|
||||
|
||||
# read/write/create any files in the system
|
||||
allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
|
||||
allow rpm_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
|
||||
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
|
||||
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
|
||||
allow rpm_t ttyfile:chr_file unlink;
|
||||
|
||||
@ -176,10 +176,10 @@ allow rpm_t ttyfile:chr_file unlink;
|
||||
allow rpm_t fs_type:dir { setattr rw_dir_perms };
|
||||
|
||||
allow rpm_t mount_t:tcp_socket write;
|
||||
allow rpm_t nfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow rpm_t nfs_t:lnk_file create_file_perms;
|
||||
|
||||
allow rpm_t sysfs_t:dir { read getattr lock search ioctl };
|
||||
allow rpm_t usbdevfs_t:dir { read getattr lock search ioctl };
|
||||
allow rpm_t sysfs_t:dir r_dir_perms;
|
||||
allow rpm_t usbdevfs_t:dir r_dir_perms;
|
||||
|
||||
allow rpm_t rpc_pipefs_t:dir search;
|
||||
|
||||
@ -220,28 +220,28 @@ allow crond_t rpm_t:fifo_file r_file_perms;
|
||||
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
|
||||
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow rpm_script_t self:fd use;
|
||||
allow rpm_script_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow rpm_script_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow rpm_script_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow rpm_script_t self:fifo_file rw_file_perms;
|
||||
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
||||
allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
|
||||
allow rpm_script_t self:unix_dgram_socket sendto;
|
||||
allow rpm_script_t self:unix_stream_socket connectto;
|
||||
allow rpm_script_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow rpm_script_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow rpm_script_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow rpm_script_t self:shm create_shm_perms;
|
||||
allow rpm_script_t self:sem create_sem_perms;
|
||||
allow rpm_script_t self:msgq create_msgq_perms;
|
||||
allow rpm_script_t self:msg { send receive };
|
||||
|
||||
allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
|
||||
allow rpm_script_t rpm_tmp_t:file r_file_perms;
|
||||
|
||||
allow rpm_script_t rpm_script_tmp_t:dir mounton;
|
||||
allow rpm_script_t rpm_script_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow rpm_script_t rpm_script_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
|
||||
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir })
|
||||
|
||||
allow rpm_script_t rpm_script_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow rpm_script_t rpm_script_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_script_t rpm_script_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow rpm_script_t rpm_script_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_script_t rpm_script_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_kernel_sysctl(rpm_script_t)
|
||||
@ -316,7 +316,8 @@ ifdef(`TODO',`
|
||||
|
||||
allow rpm_script_t sysfs_t:dir r_dir_perms;
|
||||
|
||||
allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
|
||||
can_exec(rpm_script_t,usr_t)
|
||||
|
||||
|
||||
allow rpm_script_t autofs_t:dir { search getattr };
|
||||
|
||||
@ -327,7 +328,8 @@ allow rpm_script_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
allow rpm_script_t printconf_t:file { getattr read execute execute_no_trans };
|
||||
can_exec(rpm_script_t,printconf_t)
|
||||
|
||||
')
|
||||
|
||||
optional_policy(`ssh.te', `
|
||||
@ -358,13 +360,13 @@ ifdef(`TODO',`
|
||||
|
||||
allow userdomain var_lib_t:dir { getattr search };
|
||||
|
||||
allow { insmod_t depmod_t } rpm_t:fifo_file { getattr read write append ioctl lock };
|
||||
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
|
||||
|
||||
optional_policy(`cups.te', `
|
||||
allow cupsd_t rpm_var_lib_t:dir { getattr read search };
|
||||
allow cupsd_t rpm_var_lib_t:file { read getattr };
|
||||
allow cupsd_t rpb_var_lib_t:lnk_file { getattr read };
|
||||
allow cupsd_t initrc_exec_t:file { getattr read };
|
||||
allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
|
||||
allow cupsd_t rpm_var_lib_t:file r_file_perms;
|
||||
allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
|
||||
allow cupsd_t initrc_exec_t:file r_file_perms;
|
||||
domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
|
||||
')
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
define(`usermanage_chfn_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 chfn_exec_t:file { getattr read execute };
|
||||
allow $1 chfn_exec_t:file rx_file_perms;
|
||||
allow $1 chfn_t:process transition;
|
||||
type_transition $1 chfn_exec_t:process chfn_t;
|
||||
dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
|
||||
@ -29,7 +29,7 @@ define(`usermanage_chfn_transition',`
|
||||
define(`usermanage_chfn_transition_depend',`
|
||||
type chfn_t, chfn_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
@ -81,11 +81,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
|
||||
define(`usermanage_groupadd_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 groupadd_exec_t:file { getattr read execute };
|
||||
allow $1 groupadd_t:process transition;
|
||||
type_transition $1 groupadd_exec_t:process groupadd_t;
|
||||
dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
domain_auto_trans($1,groupadd_t,groupadd_t)
|
||||
allow $1 groupadd_t:fd use;
|
||||
allow groupadd_t $1:fd use;
|
||||
allow groupadd_t $1:fifo_file rw_file_perms;
|
||||
@ -95,7 +91,7 @@ define(`usermanage_groupadd_transition',`
|
||||
define(`usermanage_groupadd_transition_depend',`
|
||||
type groupadd_t, groupadd_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
@ -147,7 +143,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
|
||||
define(`usermanage_passwd_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 passwd_exec_t:file { getattr read execute };
|
||||
allow $1 passwd_exec_t:file rx_file_perms;
|
||||
allow $1 passwd_t:process transition;
|
||||
type_transition $1 passwd_exec_t:process passwd_t;
|
||||
dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
|
||||
@ -161,7 +157,7 @@ define(`usermanage_passwd_transition',`
|
||||
define(`usermanage_passwd_transition_depend',`
|
||||
type passwd_t, passwd_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
@ -213,7 +209,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
|
||||
define(`usermanage_useradd_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 useradd_exec_t:file { getattr read execute };
|
||||
allow $1 useradd_exec_t:file rx_file_perms;
|
||||
allow $1 useradd_t:process transition;
|
||||
type_transition $1 useradd_exec_t:process useradd_t;
|
||||
dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
|
||||
@ -227,7 +223,7 @@ define(`usermanage_useradd_transition',`
|
||||
define(`usermanage_useradd_transition_depend',`
|
||||
type useradd_t, useradd_exec_t;
|
||||
|
||||
class file { getattr read execute };
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
|
@ -66,14 +66,14 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou
|
||||
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow chfn_t self:process { setrlimit setfscreate };
|
||||
allow chfn_t self:fd use;
|
||||
allow chfn_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow chfn_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow chfn_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow chfn_t self:fifo_file rw_file_perms;
|
||||
allow chfn_t self:unix_dgram_socket create_rw_socket_perms;
|
||||
allow chfn_t self:unix_stream_socket rwcreate_stream_socket_perms;
|
||||
allow chfn_t self:unix_dgram_socket sendto;
|
||||
allow chfn_t self:unix_stream_socket connectto;
|
||||
allow chfn_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow chfn_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow chfn_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow chfn_t self:shm create_shm_perms;
|
||||
allow chfn_t self:sem create_sem_perms;
|
||||
allow chfn_t self:msgq create_msgq_perms;
|
||||
allow chfn_t self:msg { send receive };
|
||||
|
||||
kernel_read_system_state(chfn_t)
|
||||
@ -147,15 +147,15 @@ dontaudit chfn_t selinux_config_t:dir search;
|
||||
#
|
||||
|
||||
allow crack_t self:process { sigkill sigstop signull signal };
|
||||
allow crack_t self:fifo_file { read write getattr };
|
||||
allow crack_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow crack_t crack_db_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow crack_t crack_db_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow crack_t crack_db_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow crack_t crack_db_t:dir rw_dir_perms;
|
||||
allow crack_t crack_db_t:file create_file_perms;
|
||||
allow crack_t crack_db_t:lnk_file create_file_perms;
|
||||
files_search_system_state_data_directory(crack_t)
|
||||
|
||||
allow crack_t crack_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow crack_t crack_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow crack_t crack_tmp_t:dir create_dir_perms;
|
||||
allow crack_t crack_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(crack_t)
|
||||
@ -180,7 +180,7 @@ logging_send_system_log_message(crack_t)
|
||||
ifdef(`TODO',`
|
||||
ifdef(`crond.te', `
|
||||
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
|
||||
allow crack_t crond_t:fifo_file { getattr read write ioctl };
|
||||
allow crack_t crond_t:fifo_file rw_file_perms;
|
||||
# a rule for privfd may make this obsolete
|
||||
allow crack_t crond_t:fd use;
|
||||
allow crack_t crond_t:process sigchld;
|
||||
@ -199,14 +199,14 @@ dontaudit groupadd_t self:capability fsetid;
|
||||
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow groupadd_t self:process { setrlimit setfscreate };
|
||||
allow groupadd_t self:fd use;
|
||||
allow groupadd_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow groupadd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow groupadd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow groupadd_t self:fifo_file rw_file_perms;
|
||||
allow groupadd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow groupadd_t self:unix_dgram_socket sendto;
|
||||
allow groupadd_t self:unix_stream_socket connectto;
|
||||
allow groupadd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow groupadd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow groupadd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow groupadd_t self:shm create_shm_perms;
|
||||
allow groupadd_t self:sem create_sem_perms;
|
||||
allow groupadd_t self:msgq create_msgq_perms;
|
||||
allow groupadd_t self:msg { send receive };
|
||||
|
||||
# Allow access to context for shadow file
|
||||
@ -275,14 +275,14 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res
|
||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow passwd_t self:process { setrlimit setfscreate };
|
||||
allow passwd_t self:fd use;
|
||||
allow passwd_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow passwd_t self:fifo_file rw_file_perms;
|
||||
allow passwd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow passwd_t self:unix_dgram_socket sendto;
|
||||
allow passwd_t self:unix_stream_socket connectto;
|
||||
allow passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow passwd_t self:shm create_shm_perms;
|
||||
allow passwd_t self:sem create_sem_perms;
|
||||
allow passwd_t self:msgq create_msgq_perm;
|
||||
allow passwd_t self:msg { send receive };
|
||||
|
||||
kernel_get_selinuxfs_mount_point(passwd_t)
|
||||
@ -366,19 +366,19 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid
|
||||
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow sysadm_passwd_t self:process { setrlimit setfscreate };
|
||||
allow sysadm_passwd_t self:fd use;
|
||||
allow sysadm_passwd_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow sysadm_passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow sysadm_passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow sysadm_passwd_t self:fifo_file rw_file_perms;
|
||||
allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow sysadm_passwd_t self:unix_dgram_socket sendto;
|
||||
allow sysadm_passwd_t self:unix_stream_socket connectto;
|
||||
allow sysadm_passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow sysadm_passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow sysadm_passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow sysadm_passwd_t self:shm create_shm_perms;
|
||||
allow sysadm_passwd_t self:sem create_sem_perms;
|
||||
allow sysadm_passwd_t self:msgq create_msgq_perms;
|
||||
allow sysadm_passwd_t self:msg { send receive };
|
||||
|
||||
# allow vipw to create temporary files under /var/tmp/vi.recover
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:file creat_file_perms;
|
||||
files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||
files_search_system_state_data_directory(sysadm_passwd_t)
|
||||
|
||||
@ -463,14 +463,14 @@ allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid s
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow useradd_t self:process setfscreate;
|
||||
allow useradd_t self:fd use;
|
||||
allow useradd_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow useradd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow useradd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow useradd_t self:fifo_file rw_file_perms;
|
||||
allow useradd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow useradd_t self:unix_dgram_socket sendto;
|
||||
allow useradd_t self:unix_stream_socket connectto;
|
||||
allow useradd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow useradd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow useradd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow useradd_t self:shm create_shm_perms;
|
||||
allow useradd_t self:sem create_sem_perms;
|
||||
allow useradd_t self:msgq create_msgq_perms;
|
||||
allow useradd_t self:msg { send receive };
|
||||
|
||||
# Allow access to context for shadow file
|
||||
|
Loading…
Reference in New Issue
Block a user